Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

server.listen's bind argument does not accept [::] for ipv6 #54441

Open
ThisIsMissEm opened this issue Aug 18, 2024 · 12 comments · Fixed by #54470
Open

server.listen's bind argument does not accept [::] for ipv6 #54441

ThisIsMissEm opened this issue Aug 18, 2024 · 12 comments · Fixed by #54470
Labels
dns Issues and PRs related to the dns subsystem. net Issues and PRs related to the net subsystem.

Comments

@ThisIsMissEm
Copy link

Version

22, 20

Platform

Darwin the-beast-kitten.local 23.6.0 Darwin Kernel Version 23.6.0: Mon Jul 29 21:14:46 PDT 2024; root:xnu-10063.141.2~1/RELEASE_ARM64_T6031 arm64

Subsystem

net or dns

What steps will reproduce the bug?

require('http').createServer((req, res) => {
  res.statusCode = 200;
  res.end("OK");
}).listen(4001, '[::]');

Outputs:

node:events:497
      throw er; // Unhandled 'error' event
      ^

Error: getaddrinfo ENOTFOUND [::]
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:109:26)
Emitted 'error' event on Server instance at:
    at GetAddrInfoReqWrap.doListen [as callback] (node:net:2132:12)
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:109:17) {
  errno: -3008,
  code: 'ENOTFOUND',
  syscall: 'getaddrinfo',
  hostname: '[::]'
}

Node.js v20.16.0

(also reproducible on 22.2.0, same error)

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

Should listen on all interfaces for ipv6.

What do you see instead?

Server fails to start with an error.

Additional information

Using bind of :: works, so the following succeeds:

require('http').createServer((req, res) => {
  res.statusCode = 200;
  res.end("OK");
}).listen(4001, '::');

This causes compatibility issues if you've configuration that has a BIND parameter that needs to be passed to Node.js and another process, such as the Ruby on Rails built-in server, which doesn't accept bind of :: but does accept [::]

@ThisIsMissEm
Copy link
Author

This was discovered via mastodon/mastodon#31395

@RedYetiDev RedYetiDev added the http Issues or PRs related to the http subsystem. label Aug 18, 2024
@ThisIsMissEm
Copy link
Author

Interestingly, net.isIPv6('[::]') also returns false, when I'd expect it to return true, I think?

@ThisIsMissEm
Copy link
Author

@RedYetiDev I believe this affects all net#listen calls, not just http#listen

@RedYetiDev RedYetiDev added the net Issues and PRs related to the net subsystem. label Aug 18, 2024
@RedYetiDev
Copy link
Member

RedYetiDev commented Aug 18, 2024

@nodejs/net + @nodejs/dns

@RedYetiDev
Copy link
Member

require('http').createServer((req, res) => {
  res.statusCode = 200;
  res.end("OK");
}).listen(4001, '[::]');
$ node repro.js                  
node:events:498
      throw er; // Unhandled 'error' event
      ^

Error: getaddrinfo ENOTFOUND [::]
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:109:26)
Emitted 'error' event on Server instance at:
    at GetAddrInfoReqWrap.doListen [as callback] (node:net:2130:12)
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:109:17) {
  errno: -3008,
  code: 'ENOTFOUND',
  syscall: 'getaddrinfo',
  hostname: '[::]'
}

Node.js v22.6.0

@RedYetiDev RedYetiDev added dns Issues and PRs related to the dns subsystem. and removed http Issues or PRs related to the http subsystem. labels Aug 18, 2024
@bnoordhuis
Copy link
Member

This has been reported and discussed before but [::] is a phrase GitHub's search function doesn't do well on...

[::] is URL syntax, whereas node's dns, net and http modules expect plain addresses and host names.

I think it should be possible to accept and ignore the brackets without introducing ambiguities. It is however definitely a change in behavior and therefore may have backwards compatibility and/or security implications for downstream users.

@ThisIsMissEm
Copy link
Author

Yeah, it could also be ruby/rails which is wrong in using url syntax in their BIND environment variable.

i think automatically stripping brackets with a warning might be okay?

@mcollina
Copy link
Member

I would not add any specific stripping to this; these kinds of things often end up as attack surfaces for vulnerability hunters. The loopback interface is ::, not [::], use the right one.

@ThisIsMissEm
Copy link
Author

Would it be possible to throw a better error here? e.g., an invalid argument error that explains :: vs [::] if the input argument for bind starts with [ ?

@mcollina
Copy link
Member

I think that would be a very good idea.

@mcollina mcollina added the good first issue Issues that are suitable for first-time contributors. label Aug 20, 2024
@ThisIsMissEm
Copy link
Author

I'm not sure where / how I'd do a patch for something like that — it's been far too long since I've contributed to the Node.js codebase.

jazelly added a commit to jazelly/node that referenced this issue Aug 21, 2024
Fixes: nodejs#54441

Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
jazelly added a commit to jazelly/node that referenced this issue Aug 21, 2024
Fixes: nodejs#54441

Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
jazelly added a commit to jazelly/node that referenced this issue Aug 22, 2024
Fixes: nodejs#54441

Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
jazelly added a commit to jazelly/node that referenced this issue Aug 22, 2024
Fixes: nodejs#54441

Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
nodejs-github-bot pushed a commit that referenced this issue Aug 25, 2024
Fixes: #54441

Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #54470
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
@jazelly
Copy link
Member

jazelly commented Aug 28, 2024

My attempt to add a general regex check at a higher level is not feasible. The server.listen method doesn't perform validation on the host parameter; instead, it simply passes it down to the uv layer for lookup, which is why we're encountering this error. The method relies on the lookup process to reject invalid host values. Currently, it accepts almost any character, and there isn't a straightforward way to implement a high-level guard to cover what is valid domain name and what is not.

For this specific issue, I think it's kind of like a matter of deciding whether/how we want to enforce host validation within server.listen. I'm hesitant to introduce a check that only targets specific cases, such as [], but also don't have better idea.

Edit: for reference, ada-url parses [::], which comes back as is, and leave it to uv to lookup

std::string ascii_hostname = ada::idna::to_ascii(hostname.ToStringView());

@jakecastelli jakecastelli reopened this Aug 29, 2024
@jakecastelli jakecastelli removed the good first issue Issues that are suitable for first-time contributors. label Aug 29, 2024
louwers pushed a commit to louwers/node that referenced this issue Nov 2, 2024
Fixes: nodejs#54441

Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
PR-URL: nodejs#54470
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dns Issues and PRs related to the dns subsystem. net Issues and PRs related to the net subsystem.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants